Enabling comparable data access control for lightweight mobile devices in clouds

ABSTRACT

A new efficient framework based on a Constant-size Ciphertext Policy Comparative Attribute-Based Encryption (CCP-CABE) approach. CCP-CABE assists lightweight mobile devices and storing privacy-sensitive sensitive data into cloudbased storage by offloading major cryptography-computation overhead into the cloud without exposing data content to the cloud. CCP-CABE extends existing attribute-based data access control solutions by incorporating comparable attributes to incorporate more flexible security access control policies. CCP-CABE generates constant-size ciphertext regardless of the number of involved attributes, which is suitable for mobile devices considering their limited communication and storage capacities.

CROSS-REFERENCE TO RELATED APPLICATIONS

This patent application is a divisional of U.S. application Ser. No.14/216,332, filed Mar. 17, 2014, which claims priority to U.S.Provisional Application No. 61/788,552, filed Mar. 15, 2013, all ofwhich are incorporated by reference in their entireties withoutdisclaimer.

This application is related to U.S. application Ser. No. 14/216,202,filed Mar. 17, 2014, the entire disclosure of which is herebyincorporated by reference.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

This invention was made with government support under Grant No.N000014-10-1-0714 awarded by The Office of Naval Research (Navy/ONR).The government has certain rights in the invention.

BACKGROUND 1. Field of the Invention

The present invention relates generally to encryption. Moreparticularly, it relates to Ciphertext Policy Attribute Based Encryption(CP-ABE).

2. Description of Related Art

Data access control has been an increasing concern in the cloudenvironment where cloud users can compute, store and share their data.Cloud computing provides a scalable, location-independent andhigh-performance solution by delegating computation tasks and storageinto the resource-rich clouds. This overcomes the resource limitation ofusers with respect to data storage, data sharing and computation;especially when it comes to mobile devices considering their limitationsof processing hardware, storage space, and battery life. However, inreality, the cloud is usually not fully trusted by data owners;moreover, the cloud service providers may be tempted to peek at users'sensitive data and produce trapdoors in computation for commercialinterests. To enforce secure data access control on untrusted cloudservers, traditional methods (e.g., AES) encrypt data before storing itin the cloud, but they incur high key-management overhead to providedynamic group-based access control and significantly increases thesystem complexity.

Ciphertext-Policy Attribute-Based Encryption (CP-ABE) has been proposedto provide a fine-grained access control for dynamic group formation incloud-based data storage solutions. It enables the data owners to createaccess policies by designating attribute constraints and embedding thedata access policies into the ciphertext, such that any data user has tosatisfy the corresponding attributes to access the data. CP-ABE isdesigned to handle descriptive attributes, and it needs to convertcomparative attributes into a bit-wise monotone access tree structure toenforce expressive access control of encrypted data. New methods foroutsourcing decryption of ABE ciphertexts with significantly reduceddecryption cost were devised, but their encryption cost grows with thenumber of involved attributes, and bitwise comparison has to be adoptedfor comparison.

Generally speaking, most existing CP-ABE schemes suffer severaldrawbacks. One drawback is that they require intensive computation toset up an access tree structure and perform subsequent encryption ordecryption conforming to the tree structure. Hence, they are unsuitablefor computation-constrained mobile devices.

Another drawback is that most existing CP-ABE schemes performcryptographic comparison operations (such as ≤ and ≥) by following aseries of bit-wise equal matching (e.g., 10*11*01) in a hierarchicaltree structure, which involves a substantial amount of computationalcost.

Another drawback is that most existing CP-ABE schemes do not supporteffective range comparisons (e.g., 2≤hours≤4, 3≤level≤5). In fact, anattribute could have a collection of possible values in a sequentialpartial order. In other words, certain attributes may take the form ofrange values. For example, a healthy adult's resting heart rate mayrange from 60 to 100 beats per minute. Another example is that New YorkState residents with the income from $8,001 to $11,000 may be subject to4.5% tax rates.

Additionally, most existing ABE schemes rely on bitwise-comparisonoperators with AND/OR gates and they cannot effectively support dualcomparative expressions. Besides, the computational cost they bringoverwhelms resource-limited mobile devices. One existing ABE schemeintroduced an integer comparison mechanism to fine-grained accesscontrol based on attribute range. The same scheme is used to applytemporal access control and role-based control. However, the encryptioncost involved is still too heavy for resource-constrained data owners,and the size of users' private keys and ciphertext overhead growslinearly with the number of attributes. Moreover, it has not considerednegative attributes and wildcards.

Additionally, multi-authority ABE starts to attract attention asmultiple attributes authorities are required to operate independently inmany application scenarios. One existing multi-authority ABE requires acentral trusted party to issue the key to every user. An improvedversion removes the central authority, and requires all the attributeauthorities to cooperate in the access control. Other multi-authorityABE schemes require a centralized authority to create the master key andaccordingly generate keys to each user. Multi-authority ABE schemes havebeen developed in which no preset access structure exists and the keygeneration authorities can work independently from each other. In themeantime, the privacy of access policy is a concern in attribute-basedencryption. Certain multi-authority ABE schemes have been proposed toensure the recipient gets no information of the policy if the decryptionfails after a complete computation-intensive process with a centralauthority.

SUMMARY

This disclosure includes embodiments of Ciphertext Policy AttributeBased Encryption (CP-ABE) systems. To address the issues stated above,the embodiments may support both negative attributes and wildcards alongwith various range relationships over different attributes. Theembodiments may ensure the sizes of key and ciphertext overhead remainconstant regardless of the number of attributes. In the disclosedembodiments, encryption and decryption overhead over data owners anddata users may also stay constant irrespective of the number ofattributes.

The disclosed embodiments further may enable data owners to labelattribute domains with different levels of confidentiality in the accesspolicy while the attribute authorities can operate independently. In thedisclosed embodiments, the policy over each attribute domain may berevealed only if the data owners' attribute ranges can satisfy thepolicy over the less confidential attribute domains in ExtendedCiphertext Policy Attribute Based Encryption (ECCP-CABE) systems.ECCP-CABE achieves efficiency at the cost of less flexible attributestructure compared to various multi-authority ABE schemes. In addition,ECCP-CABE provides policy exposure at the attribute domain level andperforms encryption and decryption over each attribute domain in abatch-processing manner.

Some embodiments of the present disclosure comprise a method of storingencrypted data in a computer based processing system. In someembodiments, the method comprises generating a public key PK and amaster key MK. In some embodiments, the method comprises publishing saidpublic key PK and issuing private keys SK_(LU) and public keys PK_(LU)to each data user. In some embodiments, said public and private keys arebased on the data user's ID and attribute range L_(U). In someembodiments, the method comprises receiving a request for a partiallyencrypted header from a data owner. In some embodiments, said requestincludes a specified access control policy Ps.

In some embodiments, the method comprises generating a partiallyencrypted header {tilde over (H)} based on the public key PK, the masterkey MK, and the specified access control policy Ps. In some embodiments,the method comprises transmitting said partially encrypted header {tildeover (H)} to said data owner. In some embodiments, the method comprisesreceiving a header H and encrypted data from said data owner. In someembodiments, said header H and encrypted data are based at least in parton said partially encrypted header {tilde over (H)}.

In some embodiments, the access control policy Ps may be anon-hierarchical structure. In some embodiments, it can apply differentrange relationships on different attributes i) intersection: [t_(i),t_(j)]∩[t_(a), t_(b)]≠Ø ii) contained: [t_(i), t_(j)]⊆[t_(a), t_(b)]iii) containing: [t_(i), t_(j)]⊇[t_(a), t_(b)]). In some embodiments,the second and the third range relationships may be the special cases ofthe intersection relationship, so the techniques used in theintersection range relationship can also be used for the following tworange relationships.

In some embodiments, the method may further comprise receiving a requestfrom a user for access to encrypted data, partially decrypting saidheader H based on the user's public key PK_(LU), privilege LU and accesscontrol policy Ps, and sending the partially decrypted header {tildeover (H)} to the user.

In some embodiments, multi-dimensional forward/backward derivativefunctions may be used to compare a data user's attribute range LU to aspecified access control policy Ps.

In some embodiments, the step of generating a public key PK and a masterkey MK may be performed in accordance with the following algorithm:

-   1) selects two generators G, W∈    ;-   2) randomly chooses λ∈    _(n)* and computes T=λW∈    ;-   3) selects a random α∈    _(n)* and computes e(G, W)^(α);-   4) selects random {right arrow over (π)},    ∈    _(n)*;-   5) publishes PK={    , T, W, h(⋅)}, e(G, W)^(α) as public key, keep master key MK={λ, α,    G, {right arrow over (π)},    } as secret.

In some embodiments, the step of issuing private keys SK_(LU) and publickeys PK_(LU) to each data user, said public and private keys based onthe data user's ID and attribute range L_(U), may be performed inaccordance with the following algorithm:

-   -   KeyGen (MK, u,        _(u))→(        ,        ): Given a user u's attribute ranges        _(u)={[ν_(i,a), ν_(i,b)]}_(1≤i≤m), this algorithm outputs u's        public key P        ={{right arrow over (ψ)} _(U) ,        _(Ū)} and u's private key        ={A_(u), {right arrow over (A)}_(u),        _(u)}. Each part of        and        are generated as follows:        -   1) computes {{right arrow over (w)}_(i,a)=Π_(0≤ξ≤a)            (h(ν_(i,ξ)))}_(1≤i≤m) and {            _(i,b)=Π_(b≤ξ≤n) _(i) (h(ν_(i,ξ)))}_(1≤i≤m);        -   2) computes the first part and second part of public key P            : {right arrow over (ψ)} _(U={right arrow over (π)})            ^({right arrow over (w)}) ^(U) ={right arrow over (π)}^(Π)            ^(1≤i≤m) ^({right arrow over (w)}) ^(i,a) ,            _(Ū)=            =            ^(Π) ^(1≤i≤m)            ^(i,b) ;        -   3) chooses a random γ_(u)∈            _(N)* for each user u and computes the first part of private            key            : A_(u)=(γ_(u)+α)G∈            ;        -   4) computes the second part and third part of private key

${{{SK}_{\mathcal{L}_{u}}\text{:}\mspace{14mu}{\overset{\rightarrow}{A}}_{u}} = {{{\frac{\gamma_{u}}{{\lambda{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}}} + 1}G} \in {{\mathbb{G}}\mspace{14mu}{and}\mspace{14mu}{\overset{\leftarrow}{A}}_{u}}} = {{\frac{\gamma_{u}}{\lambda{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}}1}G} \in {\mathbb{G}}}}}\mspace{11mu};$

In some embodiments, the step of generating a partially encrypted header{tilde over (H)} may be performed in accordance with the followingalgorithm.

-   -   EncDelegate(PK, MK,        _(s))→H: Given public key PK, master key MK and the designated        access control policy of attribute range        _(s)={[ν_(i,j), ν_(i,k)]}_(1≤i≤m), this algorithm outputs the        partially encrypted header {tilde over (H)}={{right arrow over        (ψ)} _(s) ,        _(s) } by the steps below:        -   1) computes {{right arrow over            (w)}_(i,k)=Π_(0≤ξ≤k)(h(ν_(i,ξ)))}_(1≤i≤m) and {            _(i,j)=Π_(j≤ξ≤n) _(i) (h(ν_(i,ξ)))}_(1≤i≤m);        -   2) computes {right arrow over (w)} _(s) =Π_(1≤i≤m){right            arrow over (w)}_(i,k) and            =Π_(1≤i≤m)            _(i,j);        -   3) computes the first part of partially encrypted header            {right arrow over (ψ)} _(s) ={right arrow over            (π)}^({right arrow over (w)}) ^(s) ={right arrow over            (π)}^(Π) ^(1≤i≤m) ^({right arrow over (w)}) ^(i,k) and the            second part of partially encrypted header            _(s) =            ^(s) =            ^(Π) ^(1≤i≤m)            ^(i,j) ;

In some embodiments, a method for encrypting data in a computer basedprocessing system using a trust authority with a public key PK and amaster key MK, comprises sending a request for a partially encryptedheader {tilde over (H)} to the trust authority with a specified accesscontrol policy Ps. In some embodiments, the method comprises receiving apartially encrypted header computed by the trust authority, saidpartially encrypted header {tilde over (H)} being based on the publickey PK, the master key MK, and the specified access control policy Ps.In some embodiments, the method comprises encrypting data using thepartially encrypted header {tilde over (H)}.

In some embodiments, the step of encrypting data may comprise generatinga session key Ks and ciphertext H using the partially encrypted header{tilde over (H)}.

In some embodiments, the data may be encrypted according to thefollowing algorithm:

-   -   Encrypt(Ĥ)→(H, K_(s)): Given the partially encrypted header,        this algorithm produces the session key K_(s) and ciphertext H={        _(s), C, E _(s) , E _(s) , Ê _(s) , Ê _(s) } to cloud storage.        Each part of H is generated as follows:        -   1) randomly chooses two secret s₁, s₂∈            _(n);        -   2) computes the main secret s=s₁+s₂∈            _(n) and derives C=sW∈            ;        -   3) produces the session key K_(s)=e(G,W)^(αs) and uses K_(s)            to encrypt data.        -   4) computes E _(s) =s₁T and E _(s) =s₂T;        -   5) computes Ê _(s) =s₁{right arrow over (ψ)} _(s)            T·s₁W=s₁{right arrow over (ψ)} _(s) λW·s₁W=s₁(λ{right arrow            over (ψ)} _(s) +1)W and Ê _(s) =s₂            _(s) T·s₂W=s₂            _(s) λW·s₂W=s₂(λ            _(s) +1)W.

In some embodiments, the computer based processing system may be a cloudstorage system.

In some embodiments, a method of decrypting data which has been storedin a computer based processing system in accordance with the previouslydescribed method of comprises receiving a request for access to data. Insome embodiments, said request includes a user identity. In someembodiments, the method further comprises partially decrypting anencrypted header H if said user is entitled to access said data based onthe user's public key PK_(LU), privilege L_(U) and access control policyPs. In some embodiments, the method comprises sending the partiallydecrypted header {tilde over (H)} to said user.

In some embodiments, the step of partially decrypting the header H maybe performed in accordance with the following algorithm:

-   -   DecDelegate(H,        ,        _(u),        _(s))→Ĥ: Given a user's public key        and privilege        _(u) along with the data owner's access control policy        _(s), the algorithm should output {right arrow over (ψ)} _(s)        and        _(s) only if [ν_(i,j), ν_(i,k)]∩[ν_(i,a), ν_(i,b)]≠Ø for all        A_(i)∈        :        ({right arrow over (ψ)} _(U) )=({right arrow over (ψ)} _(U) )        ^(w) ^(U,s)        =({right arrow over (π)}^(Π) ^(1≤i≤m) ^({right arrow over (w)})        ^(i,a) )^(Π) ^(1≤i≤m) ^((w) ^(i,(a,k)) ⁾={right arrow over (ψ)}        _(s) (mod n)        (        _(Ū))=(        _(Ū)) ^(w) ^(s,Ū)        =(        ^(Π) ^(1≤i≤m)        ^(i,b) )^(Π) ^(1≤i≤m) ^((w) ^(i,(j,b)) ⁾=        _(s) (mod n)    -   where {right arrow over (w)} _(U,s) =Π_(1≤i≤m)(w _(i,(a,k))) and        w _(s,Ū)=Π_(1≤i≤m)(w _(i,(j,b))). Then it outputs {tilde over        (H)}={H, {right arrow over (ψ)} _(U) −{right arrow over (ψ)}        _(s) ,        _(Ū)−        _(s) } as partially decrypted header.

In some embodiments, the method may further comprise retrieving asession key Ks with the following algorithm and decrypting datautilizing the session key Ks.

-   -   Decrypt(        , Ĥ)→K_(s): Given the delegation key        and header Ĥ, this algorithm perform the following computation:

$\begin{matrix}{{\Gamma\left( s_{1} \right)} = {e\left( {{\overset{\rightarrow}{A}}_{u},{{{\hat{E}}_{\overset{\_}{S}} \cdot \left( {{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}} - {\overset{\rightarrow}{\psi}}_{\overset{\_}{S}}} \right)}E_{\overset{\_}{S}}}} \right)}} \\{= {e\left( {{\overset{\rightarrow}{A}}_{u},{{s_{1}\left( {{\lambda{\overset{\rightarrow}{\psi}}_{\overset{\_}{S}}} + 1} \right)}{W \cdot \left( {{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}} - {\overset{\rightarrow}{\psi}}_{\overset{\_}{S}}} \right)}s_{1}\lambda\; W}} \right)}} \\{= {e\left( {{\overset{\rightarrow}{A}}_{u},{{s_{1}\left( {{\lambda{\overset{\rightarrow}{\psi}}_{\overset{\_}{S}}} + 1 + {\lambda{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}}} - {\lambda{\overset{\rightarrow}{\psi}}_{\overset{\_}{S}}}} \right)}W}} \right)}} \\{= {e\left( {{\frac{\gamma_{u}}{{\lambda{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}}} + 1}G},{{s_{1}\left( {{\lambda{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}}} + 1} \right)}W}} \right)}} \\{= {e\left( {G,W} \right)}^{\frac{\gamma_{u}}{{\lambda{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}}} + 1} \cdot {s_{1}{({{\lambda{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}}} + 1})}}}} \\{= {e\left( {G,W} \right)}^{\gamma_{u}s_{1}}}\end{matrix}$ $\begin{matrix}{{\Gamma\left( s_{2} \right)} = {e\left( {{\overset{\leftarrow}{A}}_{u},{{{\hat{E}}_{\underset{\_}{S}} \cdot \left( {{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}} - {\overset{\leftarrow}{\psi}}_{\underset{\_}{S}}} \right)}E_{\underset{\_}{S}}}} \right)}} \\{= {e\left( {{\overset{\leftarrow}{A}}_{u},{{s_{2}\left( {{\lambda{\overset{\leftarrow}{\psi}}_{\underset{\_}{S}}} + 1} \right)}{W \cdot \left( {{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}} - {\overset{\leftarrow}{\psi}}_{\underset{\_}{S}}} \right)}s_{2}\lambda\; W}} \right)}} \\{= {e\left( {{\overset{\leftarrow}{A}}_{u},{s_{2}\left( {{\lambda{\overset{\leftarrow}{\psi}}_{\underset{\_}{S}}} + 1 + {\lambda{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}}} - {\lambda{\overset{\rightarrow}{\psi}}_{\overset{\_}{S}}W}} \right)}} \right.}} \\{= {e\left( {{\frac{\gamma_{u}}{{\lambda{\overset{\leftarrow}{\varphi}}_{\overset{\_}{U}}} + 1}G},{{s_{2}\left( {{\lambda{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}}} + 1} \right)}W}} \right)}} \\{= {e\left( {G,W} \right)}^{\frac{\gamma_{u}}{{\lambda{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}}} + 1} \cdot {s_{2}{({{\lambda{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}}} + 1})}}}} \\{= {e\left( {G,W} \right)}^{\gamma_{u}s_{2}}}\end{matrix}$ It  can  derive  I = Γ(s₁) ⋅ Γ(s₂) = e(G, W)^(γ_(u)s).

In some embodiments, the method may be performed at least partially in acloud storage system.

In some embodiments, a non-transitory computer readable medium stores aprogram causing a computer to execute a process in accordance with anyof the foregoing methods.

In some embodiments, an encryption device comprises a processor, and amemory coupled to said processor, wherein said processor is configuredwith logic to execute a process in accordance with any one of theforegoing methods.

In some embodiments, a cloud storage system comprises a cloud resource,said cloud resource comprising a processor configured with logic toexecute a process in accordance with any one of the foregoing methods.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts an exemplary embodiment that illustrates two-dimensionalattribute ranges in an example of the disclosed CCP-CABE scheme.

FIG. 2 depicts an exemplary embodiment that illustrates an architectureof a CCP-CABE framework with a central trust authority.

FIG. 3 depicts an exemplary embodiment that illustrates exemplaryattribute range relations used in the disclosed CCP-CABE scheme.

FIG. 4 depicts an exemplary embodiment that illustrates how thedisclosed CCP-CABE scheme can adapt for multiple different rangerelationships.

FIG. 5 depicts an exemplary embodiment that illustrates a computationalcost of algorithms in CCP-CABE with a different comparison range.

FIG. 6 depicts an exemplary embodiment that illustrates a computationalcost of algorithms in CCP-CABE with a different number of attributes.

FIG. 7 depicts an exemplary embodiment that illustrates a computationalcost of algorithms in CCP-CABE with a different number of attributedomains.

DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

In the following detailed description, reference is made to theaccompanying drawings, in which are shown exemplary but non-limiting andnon-exhaustive embodiments of the invention. These embodiments aredescribed in sufficient detail to enable those having skill in the artto practice the invention, and it is understood that other embodimentsmay be used, and other changes may be made, without departing from thespirit or scope of the invention. The following detailed description is,therefore, not to be taken in a limiting sense, and the scope of theinvention is defined only by the appended claims. In the accompanyingdrawings, like reference numerals refer to like parts throughout thevarious figures unless otherwise specified.

A new comparative attribute-based encryption scheme, namelyConstant-size Ciphertext Policy Comparative Attribute Based Encryption(CCP-CABE) is disclosed. FIG. 1 discloses an exemplary embodiment graph10 used to illustrate how the encryption scheme works in a real-worldscenario (e.g., telemedicine). In the embodiment shown, a patientperiodically uploads his/her health records to a medical informationservice delivered by a cloud provider, and healthcare professionals inthe designated clinic can monitor his/her health status based on his/herhealth records. In the embodiment shown, this patient has a policy thatonly healthcare professionals with positions higher than Nurse 12 canaccess his/her health info between time t_(j) and t_(k). Thus, the dataaccess can be specified by a policy P=[A₁

A₂], where A₁=rank and A₂=time are two attributes, and each attributehas a certain range, where Rank={Nurse 12, Attending Doctor 14, SeniorDoctor 16, Clinic Director 18} and Time={t_(x)|x∈Z} In the embodimentshown, correspondingly, a Senior Doctor who has a higher rank can accessthe data if he/she has been authorized to the time interval that iscontained in [t_(j), t_(k)].

The proposed CCP-CABE integrates all attribute ranges as a singleencryption parameter and compares data users' attribute ranges againstattribute constraints of an access policy designated by the data ownerthrough Multi-dimensional Range Derivation Function (MRDF).Consequently, the communication overhead is substantially reduced, asthe packet size is constant regardless of the number of attributes.Furthermore, intensive encryption and decryption operations aredelegated to a mobile cloud. As a result, the computation cost ofresource-limited data owners and data users remains minimal. Thesefeatures make the CCP-CABE approach suitable for data sensing andretrieval services running on lightweight mobile devices or sensors. Incertain embodiments, an extended CCP-CABE is provided to satisfy theapplication requirement that data owners need to share data with apolicy written over attributes issued across various attribute domains.Both schemes may be secure against various attacks, preventinghonest-but-curious cloud service owners from decrypting ciphertext andcountering key collusion attacks from multiple data owners and users.

In certain embodiments, CCP-CABE is a new comparative attribute-basedencryption scheme to provide efficient and secure access control in acloud environment. It leverages MRDF to compare data users' attributeranges against attribute constraints designated by the data owner.

In certain embodiments, CCP-CABE can predefine different rangeintersection relationships on different attributes. It also incorporateswildcards and negative attributes so it can handle more expressive typesof access control.

In certain embodiments, CCP-CABE minimizes the communication overhead toconstant size regardless of the number of attributes and comparisonranges. It also minimizes the computation overhead onresource-constrained data owners and data users irrespective of thenumber of attributes due to secure computation delegation. Evaluationresults show that the computation overhead of mobile devices remainssmall and constant irrespective of the associated attributes andcomparison ranges.

In certain embodiments, CCP-CABE enforces access control over multipleindependent attribute domains. An encrypted access policy prioritizesthe level of confidentiality of different attribute domains, and datausers can only start decryption from the least confidential domain tothe most confidential one to help protect the privacy of the accesspolicies. Communication and computation overhead only grows with thenumber of trust authorities rather than the number of attributes.

In certain embodiments, CCP-CABE can predefine different rangerelationships on different attributes (e.g., [t_(i), t_(j)]∩[t_(a),t_(b)]≠Ø, [t_(i), t_(j)]⊆[t_(a), t_(b)], [t_(i), t_(j)]⊇[t_(a), t_(b)]).It also can incorporate wildcards and negative attributes, and so it canhandle more expressive types of encrypted access control.

CCP-CABE System Overview, Preliminaries, and Security Model

FIG. 2 discloses an exemplary embodiment of a CCP-CABE applicationframework 30. A CCP-CABE framework may comprise a central TrustAuthority (TA) 32, e.g., a government health agency) a trustedEncryption Service Provider 34, a Cloud Provider 36, data owners 38(e.g., patients) and data users 40 (e.g., healthcare professionals). Theframework may further comprise In the telemedicine example of FIG. 1,the patients may have resource-limited biometric devices, and they mayneed to distribute the sensitive Electronic Health Records (EHRs) todifferent storage servers hosted by cloud providers for healthcareprofessionals in remote places to review. In the embodiment shown, thepatients can specify different access policies with respect tohealthcare professionals' attribute ranges (e.g., positions, length ofservice). To protect the patients' privacy, the government health agencymay issue keys to both patients and healthcare professionals for EHRencryption and decryption. Hence, in certain embodiments, the patientscan embed their access policies into the health data with the keys, andonly the eligible healthcare professionals can decrypt correspondingEHRs with their delegation/private keys based on their own attributeranges.

A definition of attribute range and problem formulation will now beprovided. In Table 1, commonly used symbols in CCP-CABE are listed forreference. Certain comparison operations are shown as below:

TABLE 1 Notations for CCP-CABE Notation Description

 , A_(i) the whole attribute set and its i-th attribute m the number ofattributes in 

n_(i) the maximum number of attribute values in A_(i) P the data owner'saccess control policy

 _(u) the data user u's attribute ranges R, R′, R⁻, R* four differentattribute range relationships t_(i, 0) the dummy attribute valueassigned to a user if he/she does not possess attribute A_(i) t_(i, n)_(i) the maximum attribute value in A_(i) [t_(i, a), t_(i, b)] theattribute range on attribute A_(i) possessed by a data user [t_(i, j),t_(i, k)] the range constraint on attribute A_(i) defined by P ρ_(i), ρ_(i) the bound values associated with [t_(i, j), t_(i, k)]; it dependson the range relation over A_(i) F: V → V Multi-dimensional RangeDerivation Function (MRDF)

In certain embodiments,

={A₁ . . . ^(o), A_(m)} can be a finite set of attributes, and eachattribute A₁∈

can contain a set of attribute values comprising discrete integervalues, where T_(i)={t_(i,1), t_(i,2), . . . , t_(i,n) _(i) } can be anumber of integer values for attribute A₁. Without loss of generality,it can be assumed that all elements in T_(i) are in ascending order suchthat 0≤t_(i,1)≤t_(i,2)≤ . . . ≤t_(i,n) _(i) ≤Z where Z is the maximuminteger.

In certain embodiments, t_(A) _(i) (t_(i,j), t_(i,k)) can represent arange constraint of attribute A_(i) on [t_(i,j), t_(i,k)] where1≤j≤k≤n_(i), i.e., t_(i,j)≤t_(A) _(i) ≤t_(i,k).

In certain embodiments, P={

t_(A) _(i) |∀A_(i)∈

,t_(i,j)≤t_(A) _(i) ≤t_(i,k)} where 1≤j≤k≤n_(i) can be a policy definedby a data owner over the set of attributes

and it can be expressed as a series of AND operations.

In certain embodiments,

_(u)={

t_(A) _(i) |∀A_(i)∈

, t_(i,α)≤t_(A) _(i) ≤t_(i,b)} where 1≤a≤b≤n_(i) can define theattribute ranges possessed by a data user u over the set of attributes

.

FIG. 3 depicts an exemplary embodiment 50 that illustrates exemplaryattribute range relations used in the disclosed CCP-CABE scheme. Asillustrated in FIG. 3. a data owner can apply any one of the followingattribute range relations 52 {R, R′, R⁻R*} over each attribute A_(i),such that the data user u's attribute ranges

_(u) can satisfy the designated attribute range relations over all theattributes to access the resources. In certain embodiments, R can implythat the attribute ranges

_(u) should completely satisfy P on A_(i), and it holds if ([t_(i,j),t_(i,k)]\[t_(i,a), t_(i,b)]=Ø)

([t_(i,j), t_(i,k)]∩[t_(i,a), t_(i,b)]≠Ø). On the contrary, R′ can implythat the attribute ranges

_(u) only need to partially satisfy P on A_(i), and it holds if([t_(i,j), t_(i,k)]\[t_(i,a), t_(i,b)]≠Ø)

([t_(i,j), t_(i,k)]∩[t_(i,a), t_(i,b)]≠Ø).

In addition, in certain embodiments, R⁻ may imply that access controlpolicy P may designate that an eligible data user must not own attributeA_(i), which is classified as a negative attribute. In certainembodiments, if the data user u does not own attribute A_(i), he/she maybe assigned a dummy integer value t_(i,0), distinct from the otherattribute integer values, such that t_(i,a)=t_(i,b)=t_(i,0), and thesystem places t_(i,0) ahead of t_(i,1) to derive {t_(i,0), t_(i,1), . .. , t_(i,n) _(i) } in order to follow the ascending order. Accordingly,in certain embodiments, there may exist t_(i,j)=t_(i,k)=t_(i,0) inaccess control policy P. Consequently, R⁻ may be satisfied if and onlyif [t_(i,j), t_(i,k)]=[t_(i,a), t_(i,b)]={t_(i,0)} holds.

Furthermore, in certain embodiments, R* may implicate that the dataowner does not care about attribute A_(i). In certain embodiments,t_(i,j)=t_(i,0) _(i) and t_(i,k)=t_(i,n) _(i) exist. This attribute maybe classified as a wildcard. In certain embodiments, if the data ownerspecifies A_(i) as a wildcard, then [t_(i,j), t_(i,k)] can become[t_(i,0), t_(t,n) _(i) ] and it may hold the data user u's attributerange on A_(i). In certain embodiments, it may imply that ([t_(i,j),t_(i,k)]∩[t_(i,a), t_(i,b)]≠Ø always holds if [t_(i,a), t_(i,b)]≠Ø. Inthis manner, CCP-CABE may be extended to be a comprehensive scheme tohandle different range relations.

In certain embodiments, the CCP-CABE system is based on a compositeorder bilinear map group system

_(N)=(N=pq,

,

_(T), e) where N=pq is an RSA modulus and p and q are two large primes.

and

_(T) may comprise two cyclic groups with composite order n, wheren=sn′=s₁s₂p′q′ and p, q, p′, q′, s₁, s₂ are all secret large primes. edenotes a computable bilinear map e:

×

→

_(T). The map has bilinearity ∀g, h∈

, ∀a, b∈

, e(g^(a), h^(b))=e(g,h)^(ab). The map also has non-degeneracy: g and hare the generators of

, e(g, h)≠1. The map also has computability: e(g, h) is efficientlycomputable.

In certain embodiments,

_(s) and

_(n′) may represent subgroups of order s and n′ in

respectively, and e(g, h) may become an identity element in

_(T) if g∈

_(s), h∈

_(n′). In one exemplary embodiment, w may be the generator of

, w^(n′) may be the generator of

_(s) and w^(s) may be the generator of

_(n′). In certain embodiments, if it is assumed that g=(w^(n′))

¹ and h=(w^(s))

² for some

₁,

₂, it holds that e(g, h)=e(w

¹ , w

² )^(sn′)=1. In this manner, CCP-CABE may leverage the orthogonalitybetween

_(n′) and

_(s) and keep N, n, s, p, q, p′, q′ secret.

In certain embodiments, a Multi-dimensional Range Derivation Functions(MRDF) is proposed. In certain embodiments, lower-bound and upper-boundinteger values t_(i,j), t_(i,k) may be selected out of a possibleattribute range over each attribute A_(i)∈

, and derive the integer set U={t_(i,j), t_(i,k)}

. In certain embodiments, to construct a cryptographic algorithm forrange comparison over multiple dimensions (or attributes),order-preserving cryptographic map ψ: U→V may be defined for MRDF whereV takes the form of ν_({t) _(i,j) _(,t) _(i,k) _(}A) _(i) _(∈A). Incertain embodiments, ν_({t) _(i,j) _(, t) _(i,k) _(}A) _(i) _(∈A) is acryptographic value reflecting the integer values of range bounds overeach attribute A_(i)∈

. In certain embodiments, the order-preserving cryptographic map ψimplies that there exists

v_({t_(i, j), t_(i, k)}A_(i) ∈ 𝔸) = ψ({t_(i, j), t_(i, k)}_(A_(i) ∈ 𝔸)) ≼ v_({t_(i, j)^(′), t_(i, k)}A_(i) ∈ 𝔸) = ψ({t_(i, j)^(′), t_(i, k)}_(A_(i) ∈ 𝔸))  and  v_({t_(i, j), t_(i, k)}A_(i) ∈ 𝔸) = ψ({t_(i, j), t_(i, k)}_(A_(i) ∈ 𝔸)) ≼ v_({t_(i, j), t_(i, k)^(′)}A_(i) ∈ 𝔸) = ψ({t_(i, j), t_(i, k)^(′)}_(A_(i) ∈ 𝔸))  if t_(i,j)≤t′_(i,j) and t_(i,k)≤t′_(i,k) hold for each A_(i)∈

, where ≤ denotes the partial-order relations.

In certain embodiments, to construct a cryptographic MRDF for integercomparisons over multiple attributes, a multiplicative group

_(n′) of RSA-type composite order n′=p′q′, is leveraged where p′ and q′are two large primes. In certain embodiments, a random generator φ isselected in the group

_(n′) where φ^(n′)=1. Two sets {λ_(i), μ_(i)}_(A) _(i) _(∈)

where λ_(i), μ_(i)∈

_(n)*, may then be generated and each λ_(i), μ_(i) is relatively primeto all the other elements in {λ_(i), μ_(i)}

with sufficiently large order for all A_(i)∈

. Consequently, mapping function ψ(⋅) may be defined to map an integerset U into V as shown below:

v_({t_(i, j), t_(i, k)}A_(i) ∈ A) ← ψ({t_(i, j), t_(i, k)}_(A_(i) ∈ 𝔸)) = φ^(Π)^(A_(i) ∈ 𝔸^(λ_(i)^(t_(i, j))μ_(i)^(Z − t_(i, k)))) ∈ 𝔾_(n^(′))

In some embodiments, MRDF may be defined as a function F: V→V based onU. This function may be defined as a multi-dimensional range derivationfunction if it satisfies the following two conditions:

1) the function F may be computed in polynomial time, i.e., ift_(i,j)≤t′_(i,j), t_(i,k)≥t′_(i,k), ∀A_(i)∈

, then

v_({t_(i, j)^(′), t_(i, k)^(′)}A_(i) ∈ 𝔸) ← F_({t_(i, j) ≤ t_(i, k), t_(i, k) ≥ t_(i, k)^(′)}A_(i) ∈ 𝔸)(v_({t_(i, j), t_(i, k)}A_(i) ∈ 𝔸)),and

2) it is infeasible for any probabilistic polynomial time (PPT)algorithm to derive ν_({t′) _(i,j) _(, t′) _(i,k) _(}A) _(i) _(∈A) fromν_({t) _(i,j) _(,t) _(i,k) _(}A) _(i) _(∈A) if there existst_(i,j)>t′_(i,j) or t_(i,k)>t′_(i,k) for some A_(i)∈

.

Specifically, F(⋅) may take the form as follows:

v_({t_(i, j)^(′), t_(i, k)^(′)}A_(i) ∈ A) ← F_({t_(i, j),  ≤ t_(i, j)^(′), t_(i, k) ≥ t_(i, k)^(′)}A_(i) ∈ 𝔸)(v_({t_(i, j), t_(i, k)}A_(i) ∈ A)) = (v_({t_(i, j), t_(i, k)}A_(i) ∈ 𝔸))^( ^(ΠA_(i) ∈ 𝔸λ_(i)^(t_(i, j)^(′) − t_(i, j))μ_(i)^(t_(ik) − t_(i, k)^(′)))) = (φ^(Π A_(i) ∈ 𝔸^(λ_(i)^(t_(i, j))μ_(i)^(Z − t_(i, k)))))^(Π A_(i) ∈ 𝔸^(λ_(i)^(t_(i, j)^(′) − t_(i, j))μ_(i)^(t_(i, k) − t_(i, k)^(′)))) = φ^(Π A_(i) ∈ 𝔸^(λ_(i)^(t_(i, j)^(′))μ_(i)^(Z − t_(i, k)^(′)))) ∈ 𝔾_(n^(′)).

In some embodiments, ordering relationships among the integer valuest_(i,j), t_(i,k), t′_(i,j), t′_(i,k) can be varied depending on thedesignated range relation R_(i) over each attribute A_(i). Furthermore,it may be infeasible to compute λ_(i) ⁻¹ and μ_(i) ⁻¹ in polynomial timedue to the secrecy of n′ under the RSA assumption. In some embodiments,in addition, each λ_(i) is relatively prime to all the other elements in

, and each μ_(i) is also relatively prime to all the other elements in{μ_(i)}

. Consequently, it may be infeasible to compute ν_({t) _(i,j) _(}A) _(i)_(∈A) from ν_({t) _(i,k) _(}A) _(i) _(∈A), or derive ν _({t) _(i,k)_(}A) _(i) _(∈A) from ν _({t) _(i,j) _(}A) _(i) _(∈A) if there existt_(i,j)≤t_(i,k) for some A_(i)∈

.

In some embodiments, the CCP-CABE scheme may be comprised of sixalgorithms as discussed below.

In some embodiments, a Setup algorithm Setup(κ,

) takes input of the security parameter κ and the attribute set

. It may output the global parameters GP for encryption and the masterkey MK. In some embodiments, a central Trust Authority (TA) firstchooses a bilinear map system

_(N)=(N=pq,

,

_(T), e(⋅,⋅) of composite order n=sn′ and two subgroups

_(s) and

_(n′) of

. Next, the TA may select random generators w∈

, g∈

_(s) and φ, φ∈

_(n′) such that there exist e(g, φ)=e(g, φ)=1 but e(g, w)≠1. The TA mayneed to choose λ_(i), μ_(i)∈

_(n)*, over each attribute A_(i)∈

, and ensure that each λ_(i), μ_(i) is relatively prime to all the otherelements in {λ_(i), μ_(i)}

. The TA may also employ a cryptographic hash function H: {0,1}*→

to convert a binary attribute string into an group element ∈

. In addition, the TA may pick random exponents α, β∈

_(n)*n and generate

${h = w^{\beta}},{\eta = g^{\frac{1}{\beta}}}$and e(g,w)^(α). Consequently, the TA may keep its master key and publishthe global parameters GP=(

, g, h, w, η, e(g, w)^(α), φ, {λ_(i), μ_(i)}

, H(⋅)).

In some embodiments, a KeyGen algorithm KeyGen(GP, MK, u,

_(u)) takes input of global parameters GP, master key MK, data user u'sID and corresponding attribute ranges

_(u) as the input. It may output public keys PK_(u) and private keysSK_(u) for each data user. In some embodiments, each user u may belabeled with a set of attribute ranges

_(u)={[t_(i,a), t_(i,b)]}_(A) _(i) _(C) with t_(i,a)≤t_(i,b) over allattributes. If the user u does not possess the attribute A_(i), then theTA may set t_(i,a)=t_(i,b)=t_(i,0). The TA may select unique integersτ_(u), r_(u)∈

to distinguish u from other users, and may concatenate binary stringforms of all the attributes to derive A=(A₁∥A₂∥ . . . A_(m)).Consequently, for each user u with attribute ranges

_(u), his/her private key SK_(u) may be computed as

${{SK}_{u} = {\left( {D_{0}^{(u)},D_{1}^{(u)},D_{2}^{(u)}} \right) = \left( {g^{\frac{\alpha + \tau_{u}}{\beta}},{g^{\tau_{u}}\left( {H(A)} \right)}^{\tau_{u}},w^{r_{u}}} \right)}},$

and his/her delegation key may be computed as

$\begin{matrix}{{{DK}_{u} = {\left( v_{\mathcal{L}_{u}} \right)^{r_{u}} = \varphi^{{r_{u}{\Pi A}_{i}} \in {\mathbb{A}}^{\lambda_{i}^{t_{i,a}}\mu_{i}^{Z - t_{i,b}}}}}},} & \; \\{where} & \; \\{v_{\mathcal{L}_{u}} = {v_{{\{{t_{i,a},t_{i,b}}\}}_{A_{i} \in {\mathbb{A}}}} = {\varphi^{{r_{u}{\Pi A}_{i}} \in {\mathbb{A}}^{\lambda_{i}^{t_{i,a}}\mu_{i}^{Z - t_{i,b}}}} \in {{\mathbb{G}}_{n^{\prime}}.}}}} & \;\end{matrix}$Afterwards, the keys may be transmitted to the user u through securechannels.

In some embodiments, a EncDelegate algorithm EncDelegate(GP, MK,

) takes GP, MK, and a data owner's access control policy

as the input. It may output the partially encrypted header

for the data owner to perform further encryption. In some embodiments,the data owner first defines the access control policy of attributeconstraints as

={ρ_(i) ρ _(i)}

over all attributes, and sends

to a trusted Encryption Service Provider to delegate the major part ofencryption overhead if necessary. The values {ρ_(i), ρ _(i)} maycorrespond to the attribute constraint [t_(i,j), t_(i,k)] if the policydoes not designate negative attributes or wildcards over A_(i). Uponreceiving

, the Encryption Service Provider may first set ρ_(i) and ρ _(i) basedon

's requirement of the range relationship

_(i) over the attribute A_(i).

The Encryption Service Provider may set ρ_(i)=t_(i,j) and ρ _(i)=t_(i,k)if there exists

_(i):=R over the attribute A_(i). The Encryption Service Provider mayset ρ_(i)=t_(i,k) and ρ _(i)=t_(i,j) if there exists

_(i):=R′ over the attribute A_(i). The Encryption Service Provider mayset ρ_(i)=t_(i,0) and ρ _(i)=t_(i,0) if there exists

_(i):=R⁻ (negative attribute) over the attribute A_(i). The EncryptionService Provider may set ρ_(i)=t_(i,n) _(i) and ρ _(i)=t_(i,0) if thereexists

_(i):=R* (wildcard) over the attribute A_(i). Afterward, the EncryptionService Provider may compute

$v_{\mathcal{P}} = {v_{{{\{{\rho_{i},{\overset{\_}{\rho}}_{i}}\}}A_{i}} \in} = {{\varphi\Pi}_{A_{i} \in}\lambda_{i}^{\rho_{i}}{\mu_{i}^{z - {\overset{\_}{\rho}}_{i}}.}}}$Accordingly, the Encryption Service Provider may generate a partiallyencrypted header

as

=(ν

w, H(A)) and may send it to the data owner for further encryption.

In some embodiments, a Encrypt algorithm Encrypt(GP,

) ) takes GP and

as the input. It may create a secret ε and output the session key K_(ε)and the ciphertext header

such that only the data users with attribute ranges satisfying theaccess control policy can decrypt the message. In some embodiments, uponreceiving the partially encrypted header

, the data owner may generate a random secret ε∈

_(n). The Encrypt algorithm may compute C=h^(ε) and the session key ek=e(g^(α), w)^(ε). To improve efficiency, the Encrypt algorithm may firstgenerate a random key ak to encrypt the target message and may use ek toencrypt a random key ak with symmetric key encryption

_(ak)(⋅). The Encrypt algorithm may output the ciphertext header H_(P)=(

_(ek)(ak), C, E_(ε)E′_(ε))=(

_(ek)(ak), h^(ε), (ν_(P)w)^(ε), (H(A))^(ε)) and transmit

and the encrypted message along with

to the cloud for storage.

In some embodiments, a DecDelegate algorithm DecDelegate(

, PK_(u),

_(u),

) takes input of the ciphertext header H, data user u's public keyPK_(u) and the access control policy

. It may output the partially decrypted header

to the data user for further decryption. In some embodiments, a datauser u may delegate his/her delegation key DK_(u) and claimed attributeranges

_(u) to the cloud. Upon receiving DK_(u) and

_(u), the cloud may check if

_(u) satisfies

over all attributes. If so, the cloud may compute (ν_(P))^(r) ^(u) from(ν

_(u) )^(r) ^(u) as shown below:

$\begin{matrix}{\left( v_{\mathcal{P}} \right)^{r_{u}} = \left( v_{{{\{{{\rho\; i},{\overset{\_}{\rho}i}}\}}A_{i}} \in {\mathbb{A}}} \right)^{r_{u}}} \\{= {F_{{{\{{{t_{i,a} \leq \rho_{i}},{t_{i,b} \geq {\overset{\_}{\rho}}_{i}}}\}}A_{i}} \in {\mathbb{A}}}\left( \left( v_{\mathcal{L}_{u}} \right)^{r_{u}} \right)}} \\{= {F_{{{\{{{t_{i,a} \leq \rho_{i}},{t_{i,b} \geq {\overset{\_}{\rho}}_{i}}}\}}A_{i}} \in {\mathbb{A}}}\left( \left( v_{{{\{{t_{i,a},t_{i,b}}\}}A_{i}} \in {\mathbb{A}}} \right)^{r_{u}} \right)}} \\{= \left( \left( v_{{{\{{t_{i,a},t_{i,b}}\}}A_{i}} \in {\mathbb{A}}} \right)^{r_{u}} \right)^{\;^{{\Pi A}_{i} \in {{{\mathbb{A}}\lambda}_{i}^{\rho_{i} - t_{i,a}}\mu_{i}^{t_{i,b} - {\overset{\_}{\rho}}_{i}}}}}} \\{= \left( \varphi^{{r_{u}\Pi\; A_{i}} \in {\mathbb{A}}^{\lambda_{i}^{t_{i,a}}\mu_{i}^{Z - t_{i,b}}}} \right)^{{\Pi\; A_{i}} \in {{{\mathbb{A}}\lambda}_{i}^{\rho_{i} - t_{i,a}}\mu_{i}^{t_{i,b} - {\overset{\_}{\rho}}_{i}}}}} \\{= {\left( \varphi^{{\Pi\; A_{i}} \in {\mathbb{A}}^{\lambda_{i}^{\rho_{i}}\mu_{i}^{Z - {\overset{\_}{\rho}}_{i}}}} \right)^{r_{u}} \in {\mathbb{G}}_{n^{\prime}}}}\end{matrix}$where

$v_{P} = {{v_{{{\{{\rho_{i},{\overset{\_}{\rho}}_{i}}\}}A_{i}} \in {\mathbb{A}}}\mspace{14mu}{and}\mspace{14mu} v_{{\mathfrak{L}}_{u}}} = v_{{\{{t_{i,a},t_{i,b}}\}}_{A_{i} \in {\mathbb{A}}}.}}$The cloud may send

=((ν

)^(r) ^(u) ,

) along with the ciphertext to the data user for further decryption.

In some embodiments, a Decrypt algorithm Decrypt(SK_(u),

) takes input of the partially decrypted ciphertext header

and the data user's private key

. It may perform further decryption over

with

and output the session key ek to decrypt the encrypted message. In someembodiments, upon receiving

from the cloud, a data user u may first compute (ν

)^(r) ^(u) D₂ ^((u))=(ν

w)^(r) ^(u) . the cloud may compute:

$\begin{matrix}{\left. {\Gamma(ɛ)}\leftarrow\frac{e\left( {D_{1}^{(u)},E_{ɛ}} \right)}{e\left( {\left( {v_{p}w} \right)^{r_{u}},E_{ɛ}^{\prime}} \right)} \right. = \frac{e\left( {{g^{\tau_{u}}\left( {H(A)} \right)}^{r_{u}^{ɛ}},\left( {v_{p}w} \right)^{ɛ}} \right)}{e\left( {\left( {v_{p}w} \right)^{r_{u}},\left( {H(A)} \right)^{ɛ}} \right)}} \\{= \frac{{e\left( {g^{\tau_{u}},\left( {v_{p}w} \right)^{ɛ}} \right)} \cdot {e\left( {\left( {H(A)} \right)^{r_{u}},\left( {v_{p}w} \right)^{ɛ}} \right)}}{e\left( {\left( {v_{p}w} \right)^{r_{u}},\left( {H(A)} \right)^{ɛ}} \right)}} \\{= {{e\left( {g^{\tau_{u}},\left( v_{p} \right)^{ɛ}} \right)} \cdot {e\left( {g^{\tau_{u}},w^{ɛ}} \right)}}} \\{= {{e\left( {g^{\tau_{u}},w^{ɛ}} \right)}.}}\end{matrix}$where e(g^(τ) ^(u) , (ν

)^(ε))=1. Accordingly, the data user may derive the session key ek asshown below:

${ek} = {\frac{e\left( {C,D_{0}^{(u)}} \right)}{\Gamma(ɛ)} = {\frac{e\left( {\left( w^{\beta} \right)^{ɛ},g^{\frac{\alpha + \tau_{u}}{\beta}}} \right)}{{e\left( {g,w} \right)}^{\tau_{u}ɛ}} = {e\left( {g^{\alpha},w} \right)}^{ɛ}}}$With the session key ek, the data user may first retrieve the random keyak by decrypting

_(ek)(ak) and then may derive the encrypted data with ak.

In some embodiments, a security model may be provided. In someembodiments, the Trust Authority and the Encryption Service Provider maybe assumed to be fully trustworthy, and may not collude with otherparties. However, data users may attempt to obtain unauthorized accessto data beyond their privileges. In some embodiments, if a CloudProvider is considered semi-honest, the CCP-CABE scheme needs to beresistant against attacks.

In some embodiments, the CCP-CABE scheme is resistant to a Key CollusionAttack (KCA). In a normal case, each data user may possess pre-assignedpublic key and private key from Trust Authority based on his/herattribute ranges. However, malicious data users may attempt to derivenew private keys to reveal data protected by a multi-dimensionalattribute range policy either individually or by collusion. Inconsidering a collusion attack, security in dealing with a KCA may beevaluated by a game with multiple steps.

In a Setup step, a challenger may run Setup algorithm. The challengermay give an adversary the global parameters and keep private keys.

In a Learning step, the adversary may query the challenger on behalf ofa selected number of users {μ_(l)}_(1≤l≤U) with attribute ranges {

_(ul)}_(1≤l≤U) by invoking KeyGen algorithm. The challenger may respondby giving private keys {

,

}_(1≤l≤U) to the adversary in return.

In a Challenge step, the challenger may send a challenge on behalf ofuser u′ to the adversary.

In a Response step, the adversary may output

′ with respect to user u′. If

, is valid and can bring more privileges for user u′, then the adversarywins the game.

In some embodiments, the CCP-CABE scheme is resistant to a ChosenDelegation Key and Ciphertext Attack (CDKCA). In some embodiments,semi-honest cloud providers may comply with protocols and output thecorrect results, but are tempted to derive the information from theciphertext header with the delegation keys from the data users withoutthe permission of data owners. In considering a CDKCA attack, securitymay be evaluated by a game with multiple steps.

In a Setup step, a challenger may run Setup algorithm. The challengermay give an adversary the global parameters and keep private keys.

In a Learning step, the adversary may query the challenger on behalf ofa polynomial number of eligible users {u_(l)}_(1≤l≤U) with attributeranges {

_(ul)}_(1≤l≤U) and

by invoking the DecDelegate algorithm. All the users may be able toderive session key from ciphertext header. The challenger may responseby giving delegation keys {

}_(1≤l≤U) to the adversary in return.

In a Challenge step, the challenger may send a challenge ciphertextheader to the adversary. The ciphertext header may be decrypted by theusers mentioned above with their private keys.

In a Response step, the adversary may output the session key from thechallenge ciphertext header. If the session key is valid, the adversarywins the game.

Application Scenarios

FIG. 4 depicts an exemplary embodiment 60 that illustrates how thedisclosed CCP-CABE scheme can adapt for multiple different rangerelationships. Two simple examples may be used to illustrate howCCP-CABE can adapt for multiple different range relationships

In the telemedicine example of FIG. 1, a data owner applies the rangerelationship R, R′ over attributes A₂, A₂ respectively in the accesscontrol policy

. The “Time” attribute 62 takes value out of the integer set {t_(1,0),t_(1,1), t_(1,2), t_(1,3), t_(1,4), t_(1,5)} representing differenttimestamps, and the “Rank” attribute 64 takes value from the integer set{t_(2,0), t_(2,1), t_(2,2), t_(2,3), t_(2,4), t_(2,5)} representingdifferent positions in a clinic. It can be learnt that the attributeranges of the data user are

_(u)={[t_(1,1), t_(1,5)], [t_(2,3), t_(2,3)]}, and the attribute rangeconstraints designated by the data owner are {[t_(1,2), t_(1,4)],[t_(2,1), t_(2,4)]}. The CCP-CABE may then perform the followingoperations associated with MRDF. For example, the algorithm KeyGencomputes:

${v_{\mathcal{L}_{u}} = {v_{{{\{{t_{i,a},t_{i,b}}\}}A_{i}} \in {\mathbb{A}}} = {\varphi^{\prod\limits_{A_{i} \in {\mathbb{A}}^{\lambda_{i}^{t_{i,a}}\mu_{i}^{Z - t_{i,b}}}}} = \varphi^{\lambda_{1}^{t_{1,1}}\lambda_{2}^{t_{2,3}}\mu_{1}^{Z - t_{1,5}}\mu_{2}^{Z - t_{2,3}}}}}},$The algorithm EncDelegate computes:

${v_{p} = {v_{{{\{{\rho_{i},{\overset{\_}{\rho}}_{i}}\}}A_{i}} \in {\mathbb{A}}} = {\varphi^{\prod\limits_{A_{i} \in {\mathbb{A}}^{\lambda_{i}^{\rho_{i}}\mu_{i}^{Z - {\overset{\_}{\rho}}_{i}}}}} = \varphi^{\lambda_{1}^{t_{1,2}}\lambda_{2}^{t_{2,4}}\mu_{1}^{Z - t_{1,4}}\mu_{2}^{Z - t_{2,1}}}}}},$The algorithm DecDelegate computes:

$\begin{matrix}{\left. \left( v_{\mathcal{P}} \right)^{r_{u}}\leftarrow{F_{{{\{{{t_{i,a} \leq \rho_{i}},{t_{i,b} \geq {\overset{\_}{\rho}}_{i}}}\}}A_{i}} \in {\mathbb{A}}}\left( \left( v_{\mathcal{L}_{u}} \right)^{r_{u}} \right)} \right. = {\left( \varphi^{r_{u}\lambda_{1}^{t_{1,1}}\lambda_{2}^{t_{2,3}}\mu_{1}^{Z - t_{1,5}}\mu_{2}^{Z - t_{2,3}}} \right)^{\Delta} = {\left( \varphi^{\lambda_{1}^{t_{1,2}}\lambda_{2}^{t_{2,4}}\mu_{1}^{Z - t_{1,4}}\mu_{2}^{Z - t_{2,1}}} \right)^{r_{u}}.}}} & \; \\{where} & \; \\{\Delta = {\lambda_{1}^{t_{1,2} - t_{1,1}}\mu_{2}^{t_{2,4} - t_{2,3}}\mu_{1}^{t_{1,5} - t_{1,4}}{\mu_{2}^{t_{2,3} - t_{2,1}}.}}} & \;\end{matrix}$

In another example shown by FIG. 4, an organization may plan to selectsuppliers from electronic device manufacturers who produce electronicdevices with the same intended use. The products of the qualifiedmanufacturers should meet three requirements: i) the operatingtemperature range 66 of the electronic devices must cover thetemperature range [−50° C., 80° C.]; ii) the electronic devices shouldhave never received any incident reports 68 in the past (i.e., negativeattribute); and iii) the fortune ranking 70 of the manufacturer is notconcerned (i.e., wildcard). In the embodiment shown, the attributeranges of the manufacturer are {[t_(1,0), t_(1,0)], [t_(2,1), t_(2,4)],[t_(3,3), t_(3,3)]}, and the attribute range constraints designated bythe organization are {[t_(1,0)], [t_(2,2), t_(2,3)], [t_(3,0), t_(3,4)]}where t_(1,0), t_(1,0), t_(3,0)>0 and t_(1,0) implies there are noincident records. The CCP-CABE may then perform the following operationsassociated with MRDF. The algorithm KeyGen computes:

${v_{\mathcal{L}_{u}} = {v_{{{\{{t_{i,a},t_{i,b}}\}}A_{i}} \in {\mathbb{A}}} = {\varphi^{\prod\limits_{A_{i} \in {\mathbb{A}}^{\lambda_{i}^{t_{i,a}}\mu_{i}^{Z - t_{i,b}}}}} = \varphi^{\lambda_{1}^{t_{1,0}}\lambda_{2}^{t_{2,1}}\lambda_{3}^{t_{3,3}}\mu_{1}^{Z - t_{1,0}}\mu_{2}^{Z - t_{2,4}}\mu_{3}^{Z - t_{3,3}}}}}},$The algorithm EncDelegate computes:

${v_{p} = {v_{{{\{{\rho_{i},{\overset{\_}{\rho}}_{i}}\}}A_{i}} \in {\mathbb{A}}} = {\varphi^{\prod\limits_{A_{i} \in {\mathbb{A}}^{\lambda_{i}^{\rho_{i}}\mu_{i}^{Z - {\overset{\_}{\rho}}_{i}}}}} = \varphi^{\lambda_{1}^{t_{1,0}}\lambda_{2}^{t_{2,2}}\lambda_{3}^{t_{3,4}}\mu_{1}^{Z - t_{1,0}}\mu_{2}^{Z - t_{2,3}}\mu_{3}^{Z - t_{3,0}}}}}},{where}$Δ = λ₂^(t_(2, 2) − t_(2, 1))λ₃^(t_(3, 4) − t_(3, 3))μ₂^(t_(2, 4) − t_(2, 3))μ₃^(t_(3, 3) − t_(3, 0)).

Extended CCP-CABE

In some embodiments, the use of CCP-CABE may extend over multipleattribute domains. In some cases, multiple attribute domains may berequired by independent organizations such that each organization canrun an Attribute Authority (AA) to host its own attribute domain.Correspondingly, each AA may hand out secret keys for a distinct set ofattributes to reflect the users' attribute values within an attributedomain. The failure of some attribute authorities may not impact theoperation of other AAs. Accordingly, only the users with attributeranges that satisfy the attribute constraints across multiple attributedomains may access that data. In addition, different attribute domainsmay be at different levels of confidentiality from the perspectives ofdifferent data owners, and the data owners may be able to embed thelevels of confidentiality associated with attribute domains into theaccess control policy dynamically.

As an example, a military student's attributes associated with the armymay be more confidential than his/her attributes associated with theenrolled university. Therefore, CCP-CABE can be used as a building blockto an Extended CCP-CABE (ECCP-CABE). ECCP-CABE can prioritize differentattribute domains to reflect different levels of confidentiality acrossdomains. In ECCP-CABE, if one attribute range of the data user cannotsatisfy the access policy in the corresponding attribute domain, thenthe decryption process may stop and the access policy over the remainingattribute domains may still be hidden. Table 2 lists the commonly usedsymbols in ECCP-CABE.

TABLE 2 Notations for ECCP-CABE Notation Description

 _(x), 

 _(x, i) the x-th attribute domain and the i-th attribute in 

 _(x) m_(x) the number of attributes in 

 _(x) n_(x, i) the maximum number of attribute values in 

 _(x, i)

 _(x) the data owner's access control policy in 

 _(x)

 _(x, u) the data user u's attribute ranges in 

 _(x) X the total number of attribute domains [t_(x, i, a), t_(x, i, b)]the attribute range on attribute 

 _(x, i) possessed by a data user [t_(x, i, j), t_(x, i, k)] the rangeconstraint on attribute 

 _(x, i) defined by 

 _(x) ρ_(x, i), ρ _(x, i) the bound values associated with [t_(x, i, j),t_(x, i, k)]; it depends on the range relationship over 

 _(x, i)

the cipher derived from encrypting the concatenation of 

 _(x) and 

In some embodiments of ECCP-CABE, each AA generates the master key andglobal parameters along with users' keys associate in the AA's ownattribute domain using the same Setup and KeyGen in CCP-CABE. The dataowners may delegate the encryption overhead to a trusted EncryptionService provider as with EncDelegate in CCP-CABE. In some embodiments,the differences between CCP-CABE and ECCP-CABE lies in the algorithms ofEncryption and Decryption.

In some embodiments, a ECCP-CABE Encryption algorithm is used. From theperspective of a data owner, different attribute domains may be atdifferent levels of confidentiality. Accordingly, the data owner maysort AAs in descending order from the most confidential attribute domainto the least confidential attribute domain and derive (

₁, . . . ,

_(x)). Upon receiving the partially encrypted header

, the data owner may generate a random secret ε_(χ)∈

_(n) for each

_(χ). The Encryption algorithm may compute C_(χ)=h_(χ) ^(ε) ^(χ) andek_(χ)=H₁(e(g_(χ) ^(α) ^(χ) , w_(χ))^(ε) ^(χ) ) for each

_(χ) with H₁:

_(T)

→{0,1}*, and generate a random key ak to encrypt the target message.

To embed levels of confidentiality into the policy, the data owner mayfirst start from the most confidential

₁ and may use ek₁ to encrypt ak to get

=

₁∥

_(ek) ₁ (ak) where

₁ denotes the policy over

₁ and

_(ek) ₁ (⋅) denotes the symmetric encryption using ek₁. The data ownermay move on to the second most confidential

₂ and compute

=

₂∥

_(ek) ₂ (

). The process may proceed until the data owner moves on to the leastconfidential

_(X) and computes

=

_(X)∥

_(X)(

). The Encrypt algorithm may output the ciphertext header

=(

′{C _(χ) ,E _(ε) _(χ) ,E′ _(ε) _(χ) }_(1≤χ≤X))where(E _(ε) _(χ) ,E′ _(ε) _(χ) )=((ν

_(χ) w _(χ))^(ε) ^(χ) ,(H(A _(χ)))^(ε) ^(χ) ),and transmit

and the encrypted message to a cloud for storage.

In some embodiments, a ECCP-CABE Decryption algorithm is used. A cloudmay first transmit

to a data user u such that the data user u knows the correspondingpolicy

_(X) over the least confidential attribute domain A_(X). Upon receiving

, the data user u may check if

_(X,u) satisfies

_(X). If so, the data user u may delegate his/her delegation keyDK_(X,u) and claimed attribute ranges

_(X,u) to the cloud.

ECCP-CABE may then invoke the DecDelegate algorithm. Upon receivingDK_(X,u) and

_(X,u) the cloud may derive (ν_(X))^(r) ^(X,u) from (

)^(r) ^(X,u) in the same manner as CCP-CABE, and then may send (

)^(r) ^(X,u) to the data user for further decryption.

ECCP-CABE may then invoke the DecDelegate algorithm. As with CCP-CABE,the data user u may compute

${{\Gamma\left( ɛ_{X} \right)} = \frac{e\left( {D_{X}^{(u)},E_{ɛ_{X}}} \right)}{e\left( {\left( {v_{p_{X}}w_{X}} \right)^{r_{X,u}},{E_{ɛ}^{\prime}}_{X}} \right)}},$Data user u may compute

${e\left( {g_{X}^{\alpha_{X}},w_{X}} \right)}^{ɛ_{X}} = {{\frac{e\left( {C_{X},D_{X,0}^{(u)}} \right)}{\Gamma\left( ɛ_{X} \right)}\mspace{14mu}{where}\mspace{11mu} D_{X,0}^{(u)}} = \;{g_{X}^{\frac{\alpha_{X} + \tau_{X,u}}{\beta_{X}}}.}}$The data user u may then compute ak_(X)=H₁(e(g_(X) ^(α) ^(X) ,w_(X))^(ε) ^(X) ) and derive

. The data owner u and the cloud may move on to A_(X-1) and invoke thealgorithms DecDelegate and Decrypt again. This process proceedsrecursively until they reach A₁ and retrieve the session key ek. Afterretrieving the session key, the data user may derive the encrypted data.This onion-like decryption may enable a gradual exposure of the accesscontrol policy from the least confidential attribute domain to the mostconfidential attribute domain. This significantly preserves the privacyof access control policy. The data user is unable to decrypt one morelevel to discover the policy over the next more confidential attributedomain if his/her attribute ranges cannot satisfy the policy over thecurrent attribute domain.

Security Analysis

In some embodiments of ECCP-CABE, each attribute authority may generateparameters and operate independently in its own attribute domain as withCCP-CABE. Accordingly, the security of ECCP-CABE fully depends onCCP-CABE. In some embodiments, security for MRDF is realized by ensuringthat MRDF is hard to invert and its one-way property can be guaranteed.

Some embodiments of CCP-CABE and ECCP-CABE provide security against KeyCollusion Attacks (KCA). In some embodiments, the security of CCP-CABEand ECCP-CABE schemes against KCA may rely on the confidentiality ofr_(u) associated with user u's identity. A user could leverage keycollusion attacks to extend his/her attribute range and increaseprivileges. For example, a user u′ with attribute ranges

_(u′)={[t′_(i,a), t′_(i,b)]}

may attempt to transfer another user u's attribute ranges

_(u)={[t_(i,a), t_(i,b)]}

into his/her own key, such that he/she can obtain more privilege oversome attribute A_(i) as there exists t_(i,a)<t′_(i,a)<t′_(i,b)<t_(i,b).In other words, user u′ may depend on the prior knowledge of

${\left( {{SK}_{u},{DK}_{u}} \right) = {\left( {D_{0}^{(u)},D_{1}^{(u)},D_{2}^{(u)},{DK}_{u}} \right) = \left( {g^{\frac{\alpha + \tau_{u}}{\beta}},{g^{\tau_{u}}\left( {H(A)} \right)}^{r_{u}},w^{r_{u}},\left( v_{\mathcal{L}_{u}} \right)^{r_{u}}} \right)}},{\left( {{SK}_{u^{\prime}},{DK}_{u^{\prime}}} \right) = {\left( {D_{0}^{(u^{\prime})},D_{1}^{(u^{\prime})},D_{2}^{(u^{\prime})},{DK}_{u^{\prime}}} \right) = {\left( {g^{\frac{\alpha + \tau_{u^{\prime}}}{\beta}},{g^{\tau_{u^{\prime}}}\left( {H(A)} \right)}^{r_{u^{\prime}}},w^{r_{u^{\prime}}},\left( v_{\mathcal{L}_{u^{\prime}}} \right)^{r_{u^{\prime}}}} \right).}}}$and he/she may launch KCA-I attacks to derive new keys

$\left( {g^{\frac{\alpha + \tau_{u^{\prime}}}{\beta}},{{g^{\tau_{u^{\prime}}}\left( {H(A)} \right)}^{r_{u}}w^{r_{u}}},\left( v_{\mathcal{L}_{u}} \right)^{r_{u}}} \right.$by exchanging g^(τ) ^(u′) or (H(A))^(r) ^(u′) with some known keys. Inaddition, the colluders could also commit KCA-II attacks to forge newkeys

$\left( {g^{\frac{\alpha + \tau_{u^{\prime}}}{\beta}},{g^{\tau_{u^{\prime}}}\left( {H(A)} \right)}^{r_{u}},w^{r_{u^{\prime}}},\left( v_{\mathcal{L}_{u}} \right)^{r_{u^{\prime}}}} \right.$by replacing

, with some new ν

_(u) to get some advantage in their privileges, where there existst_(i,a)<t′_(1,a)<t′_(i,b)<t_(i,b) for some attribute A_(i) in

_(u). In some embodiments, CCP-CABE and ECCP-CABE are resistant againstKCA-I and KCA-II attacks by making it infeasible for the users to forgenew keys with more privileges by key collusion.

Some embodiments of CCP-CABE and ECCP-CABE provide security againstChosen Delegation Key and Ciphertext Attacks (CDKCA). In someembodiments, the DLP assumption makes it is hard for a cloud provider toderive e from the ciphertext header (C=h^(ε), E_(ε)=(ν

w)^(ε), E′_(ε)=(H(A))^(ε)). The cloud provider cannot obtain anyadvantage in CDKCA with a polynomial number of delegation keys andciphertext headers. The delegation keys DK

_(u) contain only part of the information, and r_(u) prevents applyingone user's delegation key to another user's decryption process.Additionally, the secret keys are not disclosed to the cloud providers,so it is infeasible to cancel out r_(u), τ_(u) and derive ek=e(g^(α),w)^(ε) without the secret keys. Consequently, it is infeasible for anhonest-but-curious cloud provider to reveal encrypted content by takingadvantage of the ciphertext and the delegation keys.

Performance Evaluation

In some embodiments, encryption and decryption offloading in a CCP-CABEscheme significantly reduce the computational cost of lightweightdevices, and the CCP-CABE scheme is suitable for resource-constraineddata owners and data users.

A complexity Analysis may be performed to compare the CCP-CABE schemewith CBE, ABE-AL, and CP-ABE schemes. CBE and ABE-AL utilize differentforward/backward derivation functions for comparison-based encryptionand decryption. CP-ABE and its variants use bit-wise matching method toimplement integer comparison for comparison-based access control.CCP-CABE may only focus on the pairing and exponentiation operationswhile neglecting the hash and multiplication cost in both

and

_(T) as well as symmetric encryption/decryption cost, since they aremuch faster compared to the paring and exponentiation operations.CCP-CABE may use similar notations to CBE for these operations in both

and

_(T). For illustrative purposes, B may indicate the bit form of theupper and lower bound values of the attribute range for comparison inCP-ABE and P may denote bilinear pairing cost. E(

) and E(

_(T)) may refer to the exponential computation overhead in

and

_(T) respectively. E(

_(n)*) may refer to the exponential computation overhead in

_(n)*.

may represent the number of leaves in an access tree and S may representattributes involved in encryption and decryption. L may be theciphertext size resulting from symmetric encryption with the session keyek.

Differences of key size and ciphertext size between these schemes may beshown in Table 3.

TABLE 3 Comparison of key size and ciphertext size Scheme Key SizeCiphertext Size CP-ABE (1 + 2|S||B|) 

 _(T) + (2| 

 ||B| + 1) + 1) 

CBE (1 + 4|S|) 

(4| 

 | + 1) 

ABE-AL (1 + |S|) 

 + |S| 

I_(G) _(T) + (2| 

 | + 1) 

CCP-CABE 4 

L + 3 

For illustrative purposes, it is clear that the key size in CP-ABE, CBEand ABE-AL grow linearly with the number of associate attributes S. Theciphertext size in these three schemes also increases proportionallywith the number of attributes

in the access tree. In contrast, CCP-CABE keeps both the key size andciphertext size constant irrespective of the number of involvedattributes. Table 4 gives the comparison between these schemes regardingthe total communication cost on mobile devices including key generation,delegation, encryption and decryption.

TABLE 4 Comparison of communication overhead Scheme Communication CostCP-ABE 2 

 + (2|S||B| + 4|

||B| + 3)  

CBE 3 

 + (3 + 10|S | + 8|

|)  

  ABE-AL 2 

 + (2 + |S| + 4|

|)  

  + |S| 

CCP-CABE 2L +  

 + 15  

 

For illustrative purposes, it is clear that the communication costs ofthe first three schemes also grow with the number of related attributes,while the communication cost of CCP-CABE remains constant regardless ofthe number of attributes. The communication overhead caused by thetransmission of

and

_(u) may be discounted. Because these attributes are cleartext, they canbe pre-distributed and compressed into a very small size.

The computation overhead of encryption and decryption on mobile devicesmay be shown in Table 5 and Table 6 respectively.

TABLE 5 Comparison of encryption overhead Scheme Encryption CP-ABE P +(1 + 2| 

 ||B|)E( 

 ) CBE (1 + 4| 

 |)E( 

 ) + E( 

 _(T)) ABE-AL (2| 

 | + 1)E( 

 ) + E( 

 _(T)) CCP-CABE 3E( 

 ) + E( 

 _(T))

TABLE 6 Comparison of decryption overhead Scheme Decryption CP-ABE (2 +3|S||B|)E( 

 _(T)) + 2|S||B|P CBE P + (5|S| + 1)E( 

 ) ABE-AL 2|S|P + (|S| + 2)E( 

 _(T)) + 2|S|E( 

 ) CCP-CABE 3P

For illustrative purposes, it may be assumed that both a cloud providerand an Encryption Service Provider are resource-rich in computationcapability, making the computation overhead on mobile devices the onlyconcern. The encryption and decryption overhead in CCP-CABE may stay thesame irrespective of the number of attributes involved This may beaccomplished by offloading all computation-intensive operations to theresource-rich Encryption Service Provider and cloud providers.Conversely, the computation cost of the other three schemes increaseswith the number of associated attributes.

In some embodiments, ECCP-CABE uses CCP-CABE as a building block,revealing the policy domain by domain unless it reaches the mostsensitive attribute domain. Correspondingly, gradual identity exposure(GIE), a variant of CP-ABE, enables the exposure of the access policyattribute by attribute. For illustrative purposes, B indicates the bitform of the upper and lower bound values of the attribute range forcomparison,

represents the number of leaves in the tree and S represents theattributes involved in encryption and decryption in GIE. In addition,there may exist X attribute domains in ECCP-CABE and the size of

is L. Therefore, ECCP-CABE can be compared with GIE in terms of keysize, ciphertext size, and communication cost associated withencryption, delegation and decryption. This comparison is shown in Table7. A comparison regarding computation cost between GIE and ECCP-CABE isshown in Table 8.

TABLE 7 Comparison of key size, ciphertext size and communication costbetween GIE and ECCP-CABE Metric GIE ECCP-CABE Key Size (1 + 2|S||B|) 

4X 

Ciphertext Size I_(GT) + (2| 

 ||B| + 1) 

L + 3X 

Comm. Cost 21_(G) _(T) + (2|S||B| + I_(G) _(T) + (1 + X)L + 4| 

 ||B| + 3) 

17X 

TABLE 8 Comparison of computation cost between GIE and ECCP-CABEOperation GIE ECCP-CABE Encryption P + (1 + 2|r||B|)E( 

 ) 3XE(G) + XE( 

 _(T)) Decryption (2 + 3|S||B|)E( 

 _(T)) + 3X l 

2|S||B|P

For illustrative purposes, it can be seen that the key size, ciphertextsize and communication cost of GIE grow linearly with the number ofassociated attributes, while those of ECCP-CABE increase with the numberof attribute domains. This also applies to GIE and ECCP-CABE in terms ofencryption and decryption cost. In a real-world scenario, the number ofattribute domains may usually be smaller than the number of attributes,ensuring that ECCP-CABE may generally be more efficient than GIE interms of communication and computation cost.

FIGS. 5-7 show exemplary embodiments 70, 80, 90 of the disclosedCCP-CABE scheme implemented on a computing device. In the embodimentshown, the CCP-CABE scheme is implemented on a mobile cloud platform anda smartphone. In the embodiment shown, the Trust Authority, EncryptionService Provider and cloud provider are simulated by virtual machinescomprising a CPU and memory hosted by a mobile cloud platform. In theembodiment shown, the mobile device comprises a CPU and memory. In theembodiment shown, the Java Pairing-Based Cryptography (jPBC) library isutilized. In the embodiment shown, bilinear map system S of compositeorder n where n=s₁s₂p′q′ and |p′|=|q′|=256 bits is used.

FIG. 5 illustrates an embodiment 70 where the impact of the range 72 ofinteger comparison on the computational costs/overhead 74 of thealgorithms in CCP-CABE where the total number of attributes is set as10. In the embodiment shown, the value range of each attribute is [1, Z]and Z takes the form of 2^(X). The data owner may adopt the rangerelationship R and designate

$\left\lbrack {{\frac{3}{8}Z},{\frac{5}{8}Z}} \right\rbrack$as the attribute constraint over each attribute. The attribute range ofthe data user may be

$\left\lbrack {{\frac{1}{8}Z},{\frac{7}{8}Z}} \right\rbrack$Therefore, in the embodiment shown, the comparison range is

$\frac{Z}{4}$and it grows from 2 to 2¹² as x increases from 3 to 14. Thisdemonstrates that the comparison range 72 has negligible impact over thecomputational cost 74 of the algorithms in CCP-CABE. This also impliesthat each attribute can have many integer values for comparison withoutincreasing the computational overhead in real-world settings.

FIG. 6 illustrates an embodiment 80 where the comparison range is fixedas 2⁴. In the embodiment shown, the computational cost 82 of KeyGen,EncDelegate and DecDelegate running on a server grows almost linearly asthe number of attributes 84 increases from 1 to 12. Meanwhile, in theembodiment shown, the computational cost 82 of Encrypt and Decryptremain the same irrespective of the number of attributes 84, which issuitable for resource-constrained mobile devices.

FIG. 7 illustrates an embodiment 90 where each attribute domain has 6attributes and the comparison range of each attribute is 2⁴. In theembodiment shown, AES-128 is used for recursive encryption anddecryption over attribute domains 92. In the embodiment shown, as eachattribute authority is only responsible for Setup, KeyGen andEncDelegate in its own domain, its performance is approximately the sameas that in CCP-CABE. In the embodiment shown, the computational cost 94of Encrypt, DecDelegate and Decrypt grows with the number of attributedomains 92. As the number of attribute domains 92 is usually muchsmaller than the number of attributes, the computational overhead isstill acceptable. Therefore, the data owner may associate the policyonly with the concerned attribute domains to reduce overhead.

System Embodiments

Those of skill in the art will appreciate that the algorithms and methodsteps described in connection with embodiments disclosed herein canoften be implemented as logic circuitry in electronic hardware, computersoftware, or combinations of both. Whether such functionality isimplemented as hardware or software depends upon the particularapplication and design constraints imposed on the overall system.Skilled persons can implement the described functionality in varyingways for each particular application, but such implementation decisionsshould not be interpreted as causing a departure from the scope of theinvention.

Moreover, the various illustrative algorithms and methods described inconnection with the embodiments disclosed herein can be implemented orperformed with a general purpose processor, a digital signal processor(“DSP”), an ASIC, FPGA or other programmable logic device, discrete gateor transistor logic, discrete hardware components, or any combinationthereof designed to perform the functions described herein. Ageneral-purpose processor can be a microprocessor, but in thealternative, the processor can be any processor, controller,microcontroller, or state machine. A processor can also be implementedas a combination of computing devices, for example, a combination of aDSP and a microprocessor, a plurality of microprocessors, one or moremicroprocessors in conjunction with a DSP core, or any other suchconfiguration.

Additionally, the steps of a method or algorithm described in connectionwith the embodiments disclosed herein can be embodied directly inhardware, in a software module executed by a processor, or in acombination of the two. A software module can reside in RAM memory,flash memory, ROM memory, EPROM memory, EEPROM memory, registers, harddisk, a removable disk, a CD-ROM, or any other form of storage mediumincluding a network storage medium. An exemplary storage medium can becoupled to the processor such the processor can read information from,and write information to, the storage medium. In the alternative, thestorage medium can be integral to the processor. The processor and thestorage medium can also reside in an ASIC.

The above specification and examples provide a complete description ofthe structure and use of exemplary embodiments. Although certainembodiments have been described above with a certain degree ofparticularity, or with reference to one or more individual embodiments,those skilled in the art could make numerous alterations to thedisclosed embodiments without departing from the scope of thisinvention. As such, the various illustrative embodiments of the presentdevices are not intended to be limited to the particular formsdisclosed. Rather, they include all modifications and alternativesfalling within the scope of the claims, and embodiments other than theone shown may include some or all of the features of the depictedembodiment. For example, components may be combined as a unitarystructure and/or connections may be substituted. Further, whereappropriate, aspects of any of the examples described above may becombined with aspects of any of the other examples described to formfurther examples having comparable or different properties andaddressing the same or different problems. Similarly, it will beunderstood that the benefits and advantages described above may relateto one embodiment or may relate to several embodiments.

The claims are not intended to include, and should not be interpreted toinclude, means-plus- or step-plus-function limitations, unless such alimitation is explicitly recited in a given claim using the phrase(s)“means for” or “step for,” respectively.

The invention claimed is:
 1. A method for encrypting data in a computerbased processing system using a trust authority with a public key PK anda master key MK, the method comprising: sending a request for apartially encrypted header {tilde over (H)} to the trust authority witha specified access control policy Ps; receiving a partially encryptedheader computed by the trust authority, wherein the partially encryptedheader {tilde over (H)} is based on the public key PK, the master keyMK, and the specified access control policy Ps; encrypting data usingthe partially encrypted header {tilde over (H)}; wherein the data isencrypted according to the following algorithm: Encrypt(Ĥ)→(H, K_(s)):Given the partially encrypted header, the algorithm produces the sessionkey K_(s) and ciphertext H={

_(S), C, E _(S) , E _(S) , Ê _(S) , Ê _(S) } to cloud storage; andfurther wherein each part of H is generated as follows: 1) randomlychoosing two secrets s₁, s₂ ∈

_(n), 2) computing the main secret s=s₁+s₂ ∈

_(n) and derivingC=sW∈

, 3) producing the session key K_(s)=e(G, W)^(αs) and using K_(s) toencrypt the data, 4) computing E _(S) =s₁T and E _(S) =s₂T, and 5)computing each of Ê _(S) =s₁{right arrow over (ψ)} _(S) T·s₁W=s₁{rightarrow over (ψ)} _(S) λW·s₁W=s₁(λ{right arrow over (ψ)} _(S) +1)W and Ê_(S) =s₂

_(S) T·s₂W=s₂

_(S) λW·s₂W=s₂(λ

_(S) +1)W.
 2. The method of claim 1, wherein the step of encrypting thedata comprises generating the session key K_(s) and the ciphertext Husing the partially encrypted header {tilde over (H)}.
 3. The method ofclaim 1, wherein the computer based processing system is a cloud storagesystem.
 4. The method of claim 1, wherein the size of any key and anyciphertext overhead remains constant without regard to a number ofattributes.
 5. The method of claim 1, wherein the algorithm term H={

_(S), C, E _(S) , E _(S) , Ê _(S) , Ê _(S) } represents ciphertext Hbeing generated as a function of: C, the product of the main secret s(the sum of two random secrets s₁ and s₂) and generator W, which areelements of set

; E _(S) , the product of secret 1 (s₁) and T=λW∈

, the product of λ and generator W, elements of set

; E _(S) , the product of secret 2 (s₂) and T=λW∈

, the product of λ and generator W, elements of set

; Ê _(S) the function of secret 1 (s₁), λ (an element of the masterkey), {right arrow over (ψ)} _(S) (the first part of the partiallydecrypted header) and generator W; and Ê _(S) , the function of secret 2(s₂), λ (an element of the master key),

_(S) (the second part of the partially decrypted header) and generatorW.
 6. A method of decrypting data, wherein the method comprises: storingthe data in a computer based processing system, wherein the dataincludes an encrypted header H and encrypted target data; receiving arequest for access to the data, wherein the request includes a useridentity; partially decrypting an encrypted header H when the user isentitled to access the data based on the user's public key PKLU,privilege LU and access control policy Ps; sending the partiallydecrypted header {tilde over (H)} to the user; wherein partiallydecrypting the header H is performed according to the followingalgorithm: DecDelegate(H, PK

_(u) ,

_(u),

_(S))→Ĥ: Given the user's public key PK

_(u) and privilege

_(u) along with the access control policy

_(s), the algorithm outputs {right arrow over (ψ)} _(S) and

_(S) when [ν_(i,j), ν_(i,k)]∩[ν_(i,a), ν_(i,b)]≠Ø for all A_(i)∈

:

({right arrow over (ψ)} _(U) )=({right arrow over (ψ)} _(U) ) ^(w)^(U,s) =({right arrow over (π)}^(Π) ^(1≤i≤m) ^({right arrow over (w)})^(i,a) )^(Π) ^(1≤i≤m) ^((w) ^(i,(a,k)) ⁾={right arrow over (ψ)} _(S)(mod n)

(

_(Ū))=(

_(Ū)) ^(w) ^(s,Ū) =(

^(Π) ^(1≤i≤m)

^(i,b) )^(Π) ^(1≤i≤m) ^((w) ^(i,(j,b)) ⁾=

_(s) (mod n); where {right arrow over (w)} _(U,s) =Π_(1≤i≤m)(w_(i,(a,k))) and w _(S,Ū)=Π_(1≤i≤m)(w _(i,(j,b))); and further whereinthe algorithm outputs {tilde over (H)}={H,{right arrow over (ψ)} _(U)−{right arrow over (ψ)} _(S) ,

_(Ū)−

_(S) } as the partially decrypted header.
 7. The method of claim 6,further comprising: retrieving a session key K_(s); Decrypt(

, Ĥ)→K_(S): Given the delegation key

and header Ĥ, the algorithm performs the following computation:$\begin{matrix}\begin{matrix}\begin{matrix}{{\Gamma\left( s_{1} \right)} = {e\left( {{\overset{\rightarrow}{A}}_{u},{{{\hat{E}}_{\overset{\_}{S}} \cdot \left( {{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}} - {\overset{\rightarrow}{\psi}}_{\overset{\_}{S}}} \right)}E_{\overset{\_}{S}}}} \right)}} \\{= {e\left( {{\overset{\rightarrow}{A}}_{u},{{s_{1}\left( {{\lambda{\overset{\rightarrow}{\psi}}_{\overset{\_}{S}}} + 1} \right)}{W \cdot \left( {{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}} - {\overset{\rightarrow}{\psi}}_{\overset{\_}{S}}} \right)}s_{1}\lambda\; W}} \right)}} \\{= {e\left( {{\overset{\rightarrow}{A}}_{u},{{s_{1}\left( {{\lambda{\overset{\rightarrow}{\psi}}_{\overset{\_}{S}}} + 1 + {\lambda{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}}} - {\lambda{\overset{\rightarrow}{\psi}}_{\overset{\_}{S}}}} \right)}W}} \right)}} \\{= {e\left( {{\frac{\gamma_{u}}{{\lambda{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}}} + 1}G},{{s_{1}\left( {{\lambda{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}}} + 1} \right)}W}} \right)}} \\{= {e\left( {G,W} \right)}^{\frac{\gamma_{u}}{{\lambda{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}}} + 1} \cdot {s_{1}{({{\lambda{\overset{\rightarrow}{\psi}}_{\underset{\_}{U}}} + 1})}}}} \\{= {e\left( {G,W} \right)}^{\gamma_{u}s_{1}}}\end{matrix} \\\begin{matrix}{{\Gamma\left( s_{2} \right)} = {e\left( {{\overset{\leftarrow}{A}}_{u},{{{\hat{E}}_{\underset{\_}{S}} \cdot \left( {{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}} - {\overset{\leftarrow}{\psi}}_{\underset{\_}{S}}} \right)}E_{\underset{\_}{S}}}} \right)}} \\{= {e\left( {{\overset{\leftarrow}{A}}_{u},{{s_{2}\left( {{\lambda{\overset{\leftarrow}{\psi}}_{\underset{\_}{S}}} + 1} \right)}{W \cdot \left( {{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}} - {\overset{\leftarrow}{\psi}}_{\underset{\_}{S}}} \right)}s_{2}\lambda\; W}} \right)}} \\{= {e\left( {{\overset{\leftarrow}{A}}_{u},{{s_{2}\left( {{\lambda{\overset{\leftarrow}{\psi}}_{\underset{\_}{S}}} + 1 + {\lambda{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}}} - {\lambda{\overset{\rightarrow}{\psi}}_{\overset{\_}{S}}}} \right)}W}} \right)}} \\{= {e\left( {{\frac{\gamma_{u}}{{\lambda{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}}} + 1}G},{{s_{2}\left( {{\lambda{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}}} + 1} \right)}W}} \right)}} \\{= {e\left( {G,W} \right)}^{\frac{\gamma_{u}}{{\lambda{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}}} + 1} \cdot {s_{2}{({{\lambda{\overset{\leftarrow}{\psi}}_{\overset{\_}{U}}} + 1})}}}} \\{= {{e\left( {G,W} \right)}^{\gamma_{u}s_{2;}}{and}}}\end{matrix}\end{matrix} \\{{{deriving}\mspace{14mu} I} = {{{\Gamma\left( s_{1} \right)} \cdot {\Gamma\left( s_{2} \right)}} = {{e\left( {G,W} \right)}^{\gamma_{u}s}.}}}\end{matrix}$
 8. The method of claim 7, further comprising decryptingdata utilizing the session key K_(s).
 9. The method of claim 8, whereinthe processing system comprises a cloud storage system.
 10. The methodof claim 6, wherein the access control policy Ps is revealed at anattribute domain level.
 11. The method of claim 6, wherein encryption ofthe header H and the partially decrypting of the encrypted header H areperformed over each of a plurality of attribute domains in abatch-processing manner.
 12. The method of claim 6, wherein thealgorithm terms

({right arrow over (ψ)} _(U) )=({right arrow over (ψ)} _(U) ) ^(w)^(U,s) =({right arrow over (π)}^(Π) ^(1≤i≤m) ^({right arrow over (w)})^(i,a) )^(Π) ^(1≤i≤m) ^((w) ^(i,(a,k)) ⁾={right arrow over (ψ)} _(S)(mod n);

(

_(Ū))=(

_(Ū)) ^(w) ^(S,Ū) =(

^(Π) ^(1≤i≤m)

^(i,b) )^(Π) ^(1≤i≤m) ^((w) ^(i,(j,b)) ⁾=

_(s) (mod n); and{tilde over (H)}={H,{right arrow over (ψ)} _(U) −{right arrow over (ψ)}_(S) ,

_(Ū)−

_(S) }only if [ν_(i,j), ν_(i,k)]∩[ν_(i,a), ν_(i,b)]≠Ø for all A _(i)∈

represent the first and second parts of the partially decrypted header{right arrow over (ψ)} _(S) and

_(S) , respectively, as outputted when the user's attribute range(A_(i)) on the i-th attribute of the

attribute set [ν_(i,a), ν_(i,b)] matches the access control policy'sattribute range on attribute A_(i) [ν_(i,j), ν_(i,k)]; and wherein thepartially decrypted header is outputted as a function of encryptedheader H, the difference beween the first part of the public key {rightarrow over (ψ)} _(U) and partially decrypted header {right arrow over(ψ)} _(S) and the difference between the second part of the public key

_(Ū) and the second part of the partially decrypted header

_(S) .